Security Intelligence
Loading table of contents...
A new ransomware group known as 'Mora_001' has been identified exploiting two authentication bypass vulnerabilities in Fortinet's security appliances to deploy a custom ransomware strain named SuperBlack.
The attack begins with the exploitation of two authentication bypass vulnerabilities, CVE-2024-55591 and CVE-2025-24472, which allow Mora_001 to bypass authentication mechanisms and directly access Fortinet firewall appliances, giving them an initial foothold in targeted networks.
Once inside, Mora_001 proceeds to deploy SuperBlack, a custom ransomware designed to encrypt data on compromised systems. This encryption renders critical files inaccessible, forcing victims to restore from backups or pay a ransom to regain access.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Fortinet initially disclosed CVE-2024-55591 on January 14, 2025, acknowledging its exploitation as a zero-day vulnerability. Security researchers reported that this flaw had been actively used in attacks since November 2024 to breach FortiGate firewalls. Subsequently, on February 11, 2025, Fortinet updated their advisory to include CVE-2025-24472, clarifying that this vulnerability had been addressed in January and, at that time, was not known to be exploited.
Analysis of the SuperBlack ransomware has revealed that Mora_001 is a former LockBit member or affiliate. The SuperBlack ransomware is based on LockBit 3.0’s leaked builder, just with all the original branding removed. Additionally, the SuperBlack ransom note includes a TOX chat ID associated with LockBit operations, and several of the IP addresses overlap with those previously associated with LockBit.
Source: Bleeping Computer
Analysis
Given the critical role Fortinet devices play in network security, successful exploitation of these flaws could have widespread consequences, affecting enterprise networks, government organizations, and other high-value targets.
There have been other instances where vulnerabilities in Fortinet products were exploited to deploy ransomware. For example, in October 2024, threat actors actively targeted CVE-2024-23113, a critical vulnerability that impacted multiple Fortinet products, including FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager, to gain unauthorized access, facilitating the deployment of ransomware, and other malicious activities.
Nation-state actors have increasingly targeted vulnerabilities in Fortinet devices to conduct espionage operations. A prominent example is the 2024 cyberattack attributed to China's state-sponsored group, Salt Typhoon. This group exploited unpatched vulnerabilities in Fortinet and Cisco network devices to infiltrate major U.S. telecommunications firms, including AT&T, Verizon, Lumen Technologies, and T-Mobile. The attackers accessed metadata of calls and text messages from over a million users, including political figures such as Donald Trump and staff from the Kamala Harris 2024 presidential campaign. They also compromised wiretapping systems used for court-authorized surveillance.
Similarly, the Chinese state-sponsored group Volt Typhoon has been observed exploiting vulnerabilities in networking appliances, including those from Fortinet, to gain initial access to targeted networks. Once inside, they maintain persistent, long-term access, enabling them to conduct espionage activities and potentially disrupt critical infrastructure.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from ransomware actors like Mora_001. Field Effect MDR users are automatically notified if ransomware activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends that users impacted by the exploited Fortinet flaws updates their devices as soon as possible.
While defending against ransomware attacks may seem intimidating at first, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Back up your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack, and thus can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance helps protect against, or eliminate, known cybersecurity vulnerabilities in IT systems and is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Secure IoT Devices
It is imperative for organizations to ensure that IoT devices are secured and monitored alongside traditional endpoints. Implementing network segmentation, regular vulnerability assessments, and extending EDR capabilities to encompass a wider array of devices are essential steps in mitigating such sophisticated attack vectors.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Cybersecurity solutions like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
